Skip to content

Commit 8de9e37

Browse files
committed
Fix remote code execution and privilege escalation vulnerability.
To trigger this, need to have a user already. Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this. CVE-2019-12816
1 parent 3bced9a commit 8de9e37

File tree

2 files changed

+30
-9
lines changed

2 files changed

+30
-9
lines changed

Diff for: include/znc/Modules.h

+1
Original file line numberDiff line numberDiff line change
@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
16001600
private:
16011601
static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
16021602
CModInfo& Info, CString& sRetMsg);
1603+
static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
16031604

16041605
protected:
16051606
CUser* m_pUser;

Diff for: src/Modules.cpp

+29-9
Original file line numberDiff line numberDiff line change
@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
16241624
return nullptr;
16251625
}
16261626

1627+
bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
1628+
for (unsigned int a = 0; a < sModule.length(); a++) {
1629+
if (((sModule[a] < '0') || (sModule[a] > '9')) &&
1630+
((sModule[a] < 'a') || (sModule[a] > 'z')) &&
1631+
((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
1632+
sRetMsg =
1633+
t_f("Module names can only contain letters, numbers and "
1634+
"underscores, [{1}] is invalid")(sModule);
1635+
return false;
1636+
}
1637+
}
1638+
1639+
return true;
1640+
}
1641+
16271642
bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
16281643
CModInfo::EModuleType eType, CUser* pUser,
16291644
CIRCNetwork* pNetwork, CString& sRetMsg) {
16301645
sRetMsg = "";
16311646

1647+
if (!ValidateModuleName(sModule, sRetMsg)) {
1648+
return false;
1649+
}
1650+
16321651
if (FindModule(sModule) != nullptr) {
16331652
sRetMsg = t_f("Module {1} already loaded.")(sModule);
16341653
return false;
@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
17811800

17821801
bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
17831802
CString& sRetMsg) {
1803+
if (!ValidateModuleName(sModule, sRetMsg)) {
1804+
return false;
1805+
}
1806+
17841807
CString sModPath, sTmp;
17851808

17861809
bool bSuccess;
@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
17991822

18001823
bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
18011824
const CString& sModPath, CString& sRetMsg) {
1825+
if (!ValidateModuleName(sModule, sRetMsg)) {
1826+
return false;
1827+
}
1828+
18021829
ModInfo.SetName(sModule);
18031830
ModInfo.SetPath(sModPath);
18041831

@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
19111938
// Some sane defaults in case anything errors out below
19121939
sRetMsg.clear();
19131940

1914-
for (unsigned int a = 0; a < sModule.length(); a++) {
1915-
if (((sModule[a] < '0') || (sModule[a] > '9')) &&
1916-
((sModule[a] < 'a') || (sModule[a] > 'z')) &&
1917-
((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
1918-
sRetMsg =
1919-
t_f("Module names can only contain letters, numbers and "
1920-
"underscores, [{1}] is invalid")(sModule);
1921-
return nullptr;
1922-
}
1941+
if (!ValidateModuleName(sModule, sRetMsg)) {
1942+
return nullptr;
19231943
}
19241944

19251945
// The second argument to dlopen() has a long history. It seems clear

0 commit comments

Comments
 (0)